mcp-souschef 2.8.0__py3-none-any.whl → 3.2.0__py3-none-any.whl

souschef/converters/playbook.py

@@ -7,6 +7,7 @@ inventory scripts.
 """
 
 import json
+import os
 import re
 import shutil
 import subprocess
@@ -31,7 +32,13 @@ from souschef.core.constants import (
     REGEX_WHITESPACE_QUOTE,
     VALUE_PREFIX,
 )
-from souschef.core.path_utils import _normalize_path, _safe_join
+from souschef.core.path_utils import (
+    _normalize_path,
+    _safe_join,
+    safe_exists,
+    safe_glob,
+    safe_read_text,
+)
 from souschef.parsers.attributes import parse_attributes
 from souschef.parsers.recipe import parse_recipe
 
@@ -42,9 +49,7 @@ except ImportError:
     requests = None
 
 try:
-    from ibm_watsonx_ai import (  # type: ignore[import-not-found]
-        APIClient,
-    )
+    from ibm_watsonx_ai import APIClient  # type: ignore[import-not-found]
 except ImportError:
     APIClient = None
 
@@ -52,12 +57,13 @@ except ImportError:
 MAX_GUARD_LENGTH = 500
 
 
-def generate_playbook_from_recipe(recipe_path: str) -> str:
+def generate_playbook_from_recipe(recipe_path: str, cookbook_path: str = "") -> str:
     """
     Generate a complete Ansible playbook from a Chef recipe.
 
     Args:
         recipe_path: Path to the Chef recipe (.rb) file.
+        cookbook_path: Optional path to the cookbook root for path validation.
 
     Returns:
         Complete Ansible playbook in YAML format with tasks, handlers, and
@@ -73,10 +79,18 @@ def generate_playbook_from_recipe(recipe_path: str) -> str:
 
         # Parse the raw recipe file for advanced features
         recipe_file = _normalize_path(recipe_path)
-        if not recipe_file.exists():
-            return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
 
-        raw_content = recipe_file.read_text()
+        # Validate path if cookbook_path provided
+        base_path = (
+            Path(cookbook_path).resolve() if cookbook_path else recipe_file.parent
+        )
+
+        try:
+            if not safe_exists(recipe_file, base_path):
+                return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
+            raw_content = safe_read_text(recipe_file, base_path)
+        except ValueError:
+            return f"{ERROR_PREFIX} Path traversal attempt detected: {recipe_path}"
 
         # Generate playbook structure
         playbook: str = _generate_playbook_structure(
@@ -98,6 +112,8 @@ def generate_playbook_from_recipe_with_ai(
     max_tokens: int = 4000,
     project_id: str = "",
     base_url: str = "",
+    project_recommendations: dict | None = None,
+    cookbook_path: str = "",
 ) -> str:
     """
     Generate an AI-enhanced Ansible playbook from a Chef recipe.
@@ -116,6 +132,9 @@ def generate_playbook_from_recipe_with_ai(
         max_tokens: Maximum tokens to generate.
         project_id: Project ID for IBM Watsonx (required for watson provider).
         base_url: Custom base URL for the AI provider.
+        project_recommendations: Dictionary containing project-level analysis
+            and recommendations from cookbook assessment.
+        cookbook_path: Optional path to the cookbook root for path validation.
 
     Returns:
         AI-generated Ansible playbook in YAML format.
@@ -124,10 +143,18 @@ def generate_playbook_from_recipe_with_ai(
     try:
         # Parse the recipe file
         recipe_file = _normalize_path(recipe_path)
-        if not recipe_file.exists():
-            return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
 
-        raw_content = recipe_file.read_text()
+        # Validate path if cookbook_path provided
+        base_path = (
+            Path(cookbook_path).resolve() if cookbook_path else recipe_file.parent
+        )
+
+        try:
+            if not safe_exists(recipe_file, base_path):
+                return f"{ERROR_PREFIX} Recipe file does not exist: {recipe_path}"
+            raw_content = safe_read_text(recipe_file, base_path)
+        except ValueError:
+            return f"{ERROR_PREFIX} Path traversal attempt detected: {recipe_path}"
 
         # Get basic recipe parsing for context
         parsed_content = parse_recipe(recipe_path)
@@ -146,6 +173,7 @@ def generate_playbook_from_recipe_with_ai(
             max_tokens,
             project_id,
             base_url,
+            project_recommendations,
         )
 
         return ai_playbook
@@ -165,6 +193,7 @@ def _generate_playbook_with_ai(
     max_tokens: int,
     project_id: str = "",
     base_url: str = "",
+    project_recommendations: dict | None = None,
 ) -> str:
     """Generate Ansible playbook using AI for intelligent conversion."""
     try:
@@ -174,7 +203,9 @@ def _generate_playbook_with_ai(
             return client
 
         # Create the AI prompt
-        prompt = _create_ai_conversion_prompt(raw_content, parsed_content, recipe_name)
+        prompt = _create_ai_conversion_prompt(
+            raw_content, parsed_content, recipe_name, project_recommendations
+        )
 
         # Call the AI API and get response
         ai_response = _call_ai_api(
@@ -333,96 +364,257 @@ def _call_ai_api(
 
 
 def _create_ai_conversion_prompt(
-    raw_content: str, parsed_content: str, recipe_name: str
+    raw_content: str,
+    parsed_content: str,
+    recipe_name: str,
+    project_recommendations: dict | None = None,
 ) -> str:
     """Create a comprehensive prompt for AI conversion."""
-    return f"""You are an expert at converting Chef recipes to Ansible playbooks.
-Your task is to convert the following Chef recipe into a high-quality,
-production-ready Ansible playbook.
-
-CHEF RECIPE CONTENT:
-{raw_content}
-
-PARSED RECIPE ANALYSIS:
-{parsed_content}
-
-RECIPE NAME: {recipe_name}
-
-CONVERSION REQUIREMENTS:
-
-1. **Understand the Intent**: Analyze what this Chef recipe is trying to
-   accomplish. Look at the resources, their properties, and the overall
-   workflow.
-
-2. **Best Practices**: Generate Ansible code that follows Ansible best
-   practices:
-   - Use appropriate modules (ansible.builtin.* when possible)
-   - Include proper error handling and idempotency
-   - Use meaningful variable names
-   - Include comments explaining complex logic
-   - Handle edge cases and failure scenarios
-
-3. **Resource Mapping**: Convert Chef resources to appropriate Ansible
-   modules:
-   - package → ansible.builtin.package or specific package managers
-   - service → ansible.builtin.service
-   - file/directory → ansible.builtin.file
-   - template → ansible.builtin.template
-   - execute → ansible.builtin.command/shell
-   - user/group → ansible.builtin.user/group
-   - mount → ansible.builtin.mount
-
-4. **Variables and Facts**: Convert Chef node attributes to Ansible
-   variables/facts appropriately.
-
-5. **Conditionals**: Convert Chef guards (only_if/not_if) to Ansible when
-   conditions.
-
-6. **Notifications**: Convert Chef notifications to Ansible handlers where
-   appropriate.
-
-7. **Idempotency**: Ensure the playbook is idempotent and can be run
-   multiple times safely.
-
-8. **Error Handling**: Include proper error handling and rollback
-   considerations.
-
-9. **Task Ordering**: CRITICAL: Ensure tasks are ordered logically.
-   - Install packages BEFORE configuring them.
-   - create users/groups BEFORE using them in file permissions.
-   - Place configuration files BEFORE starting/restarting services.
-   - Ensure directories exist BEFORE creating files in them.
-
-10. **Handlers**: Verify that all notified handlers are actually defined
-    in the handlers section.
-
-OUTPUT FORMAT:
-Return ONLY a valid YAML Ansible playbook. Do not include any explanation,
-markdown formatting, or code blocks. The output should be pure YAML that can
-be directly used as an Ansible playbook.
-
-The playbook should include:
-- A proper name
-- Appropriate hosts (default to 'all')
-- Variables section if needed
-- Tasks section with all converted resources
-- Handlers section if notifications are used
-- Any necessary pre_tasks or post_tasks
-
-Example structure:
----
-- name: Convert of {recipe_name}
-  hosts: all
-  become: true
-  vars:
-    # Variables here
-  tasks:
-    # Tasks here
-  handlers:
-    # Handlers here
-
-Focus on creating a functional, well-structured Ansible playbook that achieves
-the same outcome as the Chef recipe."""
+    prompt_parts = _build_base_prompt_parts(raw_content, parsed_content, recipe_name)
+
+    # Add project context if available
+    if project_recommendations:
+        prompt_parts.extend(
+            _build_project_context_parts(project_recommendations, recipe_name)
+        )
+
+    prompt_parts.extend(_build_conversion_requirements_parts())
+
+    # Add project-specific guidance if available
+    if project_recommendations:
+        prompt_parts.extend(_build_project_guidance_parts(project_recommendations))
+
+    prompt_parts.extend(_build_output_format_parts())
+
+    return "\n".join(prompt_parts)
+
+
+def _build_base_prompt_parts(
+    raw_content: str, parsed_content: str, recipe_name: str
+) -> list[str]:
+    """Build the base prompt parts."""
+    return [
+        "You are an expert at converting Chef recipes to Ansible playbooks.",
+        "Your task is to convert the following Chef recipe into a high-quality,",
+        "production-ready Ansible playbook.",
+        "",
+        "CHEF RECIPE CONTENT:",
+        raw_content,
+        "",
+        "PARSED RECIPE ANALYSIS:",
+        parsed_content,
+        "",
+        f"RECIPE NAME: {recipe_name}",
+    ]
+
+
+def _build_project_context_parts(
+    project_recommendations: dict, recipe_name: str
+) -> list[str]:
+    """Build project context parts."""
+    # Extract values to shorten f-strings
+    complexity = project_recommendations.get("project_complexity", "Unknown")
+    strategy = project_recommendations.get("migration_strategy", "Unknown")
+    effort_days = project_recommendations.get("project_effort_days", 0)
+    density = project_recommendations.get("dependency_density", 0)
+
+    parts = [
+        "",
+        "PROJECT CONTEXT:",
+        f"Project Complexity: {complexity}",
+        f"Migration Strategy: {strategy}",
+        f"Total Project Effort: {effort_days:.1f} days",
+        f"Dependency Density: {density:.2f}",
+    ]
+
+    # Add migration recommendations
+    recommendations = project_recommendations.get("recommendations", [])
+    if recommendations:
+        parts.extend(
+            [
+                "",
+                "PROJECT MIGRATION RECOMMENDATIONS:",
+            ]
+        )
+        for rec in recommendations[:5]:  # Limit to first 5 recommendations
+            parts.append(f"- {rec}")
+
+    # Add dependency information
+    migration_order = project_recommendations.get("migration_order", [])
+    if migration_order:
+        recipe_position = _find_recipe_position_in_migration_order(
+            migration_order, recipe_name
+        )
+        if recipe_position:
+            dependencies = ", ".join(recipe_position.get("dependencies", [])) or "None"
+            parts.extend(
+                [
+                    "",
+                    "MIGRATION CONTEXT FOR THIS RECIPE:",
+                    f"Phase: {recipe_position.get('phase', 'Unknown')}",
+                    f"Complexity: {recipe_position.get('complexity', 'Unknown')}",
+                    f"Dependencies: {dependencies}",
+                    f"Migration Reason: {recipe_position.get('reason', 'Unknown')}",
+                ]
+            )
+
+    return parts
+
+
+def _find_recipe_position_in_migration_order(
+    migration_order: list[dict[str, Any]], recipe_name: str
+) -> dict[str, Any] | None:
+    """Find this recipe's position in migration order."""
+    for item in migration_order:
+        cookbook_name = recipe_name.replace(".rb", "").replace("recipes/", "")
+        if item.get("cookbook") == cookbook_name:
+            return item
+    return None
+
+
+def _build_conversion_requirements_parts() -> list[str]:
+    """Build conversion requirements parts."""
+    return [
+        "",
+        "CONVERSION REQUIREMENTS:",
+        "",
+        "1. **Understand the Intent**: Analyze what this Chef recipe is trying to",
+        "   accomplish. Look at the resources, their properties, and the overall",
+        "   workflow.",
+        "",
+        "2. **Best Practices**: Generate Ansible code that follows Ansible best",
+        "   practices:",
+        "   - Use appropriate modules (ansible.builtin.* when possible)",
+        "   - Include proper error handling and idempotency",
+        "   - Use meaningful variable names",
+        "   - Include comments explaining complex logic",
+        "   - Handle edge cases and failure scenarios",
+        "",
+        "3. **Resource Mapping**: Convert Chef resources to appropriate Ansible",
+        "   modules:",
+        "   - package → ansible.builtin.package or specific package managers",
+        "   - service → ansible.builtin.service",
+        "   - file/directory → ansible.builtin.file",
+        "   - template → ansible.builtin.template (CHANGE .erb to .j2 extension)",
+        "   - execute → ansible.builtin.command/shell",
+        "   - user/group → ansible.builtin.user/group",
+        "   - mount → ansible.builtin.mount",
+        "   - include_recipe → ansible.builtin.include_role (for unknown cookbooks)",
+        "   - include_recipe → specific role imports (for known cookbooks)",
+        "",
+        "4. **Template Conversions**: CRITICAL for template resources:",
+        "   - Change file extension from .erb to .j2 in the 'src' parameter",
+        "   - Example: 'config.erb' becomes 'config.j2'",
+        "   - Add note: Templates need manual ERB→Jinja2 conversion",
+        "   - ERB syntax: <%= variable %> → Jinja2: {{ variable }}",
+        "   - ERB blocks: <% code %> → Jinja2: {% code %}",
+        "",
+        "5. **Chef Data Bags to Ansible Vault**: Convert data bag lookups:",
+        "   - Chef::EncryptedDataBagItem.load('bag', 'item') →",
+        "   - Ansible: Use group_vars/ or host_vars/ with ansible-vault",
+        "   - Store sensitive data in encrypted YAML files, not inline lookups",
+        "   - Example: Define ssh_key in group_vars/all/vault.yml (encrypted)",
+        "",
+        "6. **Variables and Facts**: Convert Chef node attributes to Ansible",
+        "   variables/facts appropriately:",
+        "   - node['attribute'] → {{ ansible_facts.attribute }} or vars",
+        "   - node['platform'] → {{ ansible_distribution }}",
+        "   - node['platform_version'] → {{ ansible_distribution_version }}",
+        "",
+        "7. **Conditionals**: Convert Chef guards (only_if/not_if) to Ansible when",
+        "   conditions.",
+        "",
+        "8. **Notifications**: Convert Chef notifications to Ansible handlers",
+        "   where appropriate.",
+        "",
+        "9. **Idempotency**: Ensure the playbook is idempotent and can be run",
+        "   multiple times safely.",
+        "",
+        "10. **Error Handling**: Include proper error handling and rollback",
+        "   considerations.",
+        "",
+        "11. **Task Ordering**: CRITICAL: Ensure tasks are ordered logically.",
+        "   - Install packages BEFORE configuring them.",
+        "   - create users/groups BEFORE using them in file permissions.",
+        "   - Place configuration files BEFORE starting/restarting services.",
+        "   - Ensure directories exist BEFORE creating files in them.",
+        "",
+        "12. **Handlers**: Verify that all notified handlers are actually defined",
+        "    in the handlers section.",
+    ]
+
+
+def _build_project_guidance_parts(project_recommendations: dict) -> list[str]:
+    """Build project-specific guidance parts."""
+    strategy = project_recommendations.get("migration_strategy", "").lower()
+    parts = []
+
+    if "parallel" in strategy:
+        parallel_tracks = project_recommendations.get("parallel_tracks", 2)
+        parts.extend(
+            [
+                "",
+                "11. **Parallel Migration Context**: This recipe is part of a",
+                f"    parallel migration with {parallel_tracks} tracks.",
+                "    Ensure this playbook can run independently without",
+                "    dependencies on other cookbooks in the project.",
+            ]
+        )
+    elif "phased" in strategy:
+        parts.extend(
+            [
+                "",
+                "11. **Phased Migration Context**: This recipe is part of a phased",
+                "    migration approach. Consider dependencies and ensure proper",
+                "    ordering within the broader project migration plan.",
+            ]
+        )
+
+    return parts
+
+
+def _build_output_format_parts() -> list[str]:
+    """Build output format parts."""
+    return [
+        "",
+        "OUTPUT FORMAT:",
+        "Return ONLY a valid YAML Ansible playbook. Do not include any",
+        "   explanation, markdown formatting, or code blocks. The output should",
+        "   be pure YAML that can be directly used as an Ansible playbook.",
+        "",
+        "CRITICAL YAML SYNTAX RULES:",
+        "- Use block mapping style (one key per line) NOT flow mapping style",
+        "- NEVER use { } for mappings with conditionals or complex expressions",
+        "- Correct: Use multi-line format:",
+        "    - name: Include role conditionally",
+        "      ansible.builtin.import_role:",
+        "        name: my_role",
+        "      when: condition_here",
+        "- WRONG: { role: my_role, when: condition }  # This is INVALID",
+        "",
+        "The playbook should include:",
+        "- A proper name",
+        "- Appropriate hosts (default to 'all')",
+        "- Variables section if needed",
+        "- Tasks section with all converted resources",
+        "- Handlers section if notifications are used",
+        "- Any necessary pre_tasks or post_tasks",
+        "",
+        "Example structure:",
+        "---",
+        "- name: Convert of <recipe_name>",
+        "  hosts: all",
+        "  become: true",
+        "  vars:",
+        "    # Variables here",
+        "  tasks:",
+        "    # Tasks here",
+        "  handlers:",
+        "    # Handlers here",
+        "",
+        "Focus on creating a functional, well-structured Ansible playbook that",
+        "achieves the same outcome as the Chef recipe.",
+    ]
 
 
 def _clean_ai_playbook_response(ai_response: str) -> str:
@@ -507,10 +699,18 @@ def _run_ansible_lint(playbook_content: str) -> str | None:
     if shutil.which("ansible-lint") is None:
         return None
 
+    tmp_path = None
     try:
-        with tempfile.NamedTemporaryFile(mode="w", suffix=".yml", delete=False) as tmp:
-            tmp.write(playbook_content)
-            tmp_path = tmp.name
+        # Create temp file with secure permissions (0o600 = rw-------)
+        # Use os.open with secure flags instead of NamedTemporaryFile for better control
+        tmp_fd, tmp_path = tempfile.mkstemp(suffix=".yml", text=True)
+        try:
+            # Write content to file descriptor (atomic operation)
+            with os.fdopen(tmp_fd, "w") as tmp:
+                tmp.write(playbook_content)
+        except Exception:
+            os.close(tmp_fd)
+            raise
 
         # Run ansible-lint
         # We ignore return code because we want to capture output even on failure
@@ -528,7 +728,7 @@ def _run_ansible_lint(playbook_content: str) -> str | None:
     except Exception:
         return None
     finally:
-        if "tmp_path" in locals() and Path(tmp_path).exists():
+        if tmp_path is not None and Path(tmp_path).exists():
             Path(tmp_path).unlink()
 
 
@@ -599,8 +799,9 @@ def analyse_chef_search_patterns(recipe_or_cookbook_path: str) -> str:
         path_obj = _normalize_path(recipe_or_cookbook_path)
 
         if path_obj.is_file():
-            # Single recipe file
-            search_patterns = _extract_search_patterns_from_file(path_obj)
+            # Single recipe file - use parent directory as base path
+            base_path = path_obj.parent
+            search_patterns = _extract_search_patterns_from_file(path_obj, base_path)
         elif path_obj.is_dir():
             # Cookbook directory
             search_patterns = _extract_search_patterns_from_cookbook(path_obj)
@@ -996,9 +1197,8 @@ def main():
 if __name__ == "__main__":
     main()
 '''
-
     # Convert queries_data to JSON string for embedding
-    queries_json = json.dumps(
+    queries_json = json.dumps(  # nosonar
         {
             item.get("group_name", f"group_{i}"): item.get("search_query", "")
             for i, item in enumerate(queries_data)
@@ -1012,39 +1212,66 @@ if __name__ == "__main__":
 # Search pattern extraction
 
 
-def _extract_search_patterns_from_file(file_path: Path) -> list[dict[str, str]]:
-    """Extract Chef search patterns from a single recipe file."""
+def _extract_search_patterns_from_file(
+    file_path: Path, base_path: Path
+) -> list[dict[str, str]]:
+    """
+    Extract Chef search patterns from a single recipe file.
+
+    Args:
+        file_path: Path to the file to parse.
+        base_path: Base directory for path validation.
+
+    Returns:
+        List of search patterns found in the file.
+
+    """
     try:
-        content = file_path.read_text()
+        content = safe_read_text(file_path, base_path)
         return _find_search_patterns_in_content(content, str(file_path))
     except Exception:
         return []
 
 
 def _extract_search_patterns_from_cookbook(cookbook_path: Path) -> list[dict[str, str]]:
-    """Extract Chef search patterns from all files in a cookbook."""
+    """
+    Extract Chef search patterns from all files in a cookbook.
+
+    Args:
+        cookbook_path: Path to the cookbook directory.
+
+    Returns:
+        List of all search patterns found in the cookbook.
+
+    """
     patterns = []
 
-    # Search in recipes directory
+    # Search in recipes directory using safe_glob
     recipes_dir = _safe_join(cookbook_path, "recipes")
-    if recipes_dir.exists():
-        for recipe_file in recipes_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(recipe_file)
-            patterns.extend(file_patterns)
+    if safe_exists(recipes_dir, cookbook_path):
+        for recipe_file in safe_glob(recipes_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                recipe_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
 
-    # Search in libraries directory
+    # Search in libraries directory using safe_glob
     libraries_dir = _safe_join(cookbook_path, "libraries")
-    if libraries_dir.exists():
-        for library_file in libraries_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(library_file)
-            patterns.extend(file_patterns)
+    if safe_exists(libraries_dir, cookbook_path):
+        for library_file in safe_glob(libraries_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                library_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
 
-    # Search in resources directory
+    # Search in resources directory using safe_glob
     resources_dir = _safe_join(cookbook_path, "resources")
-    if resources_dir.exists():
-        for resource_file in resources_dir.glob("*.rb"):
-            file_patterns = _extract_search_patterns_from_file(resource_file)
-            patterns.extend(file_patterns)
+    if safe_exists(resources_dir, cookbook_path):
+        for resource_file in safe_glob(resources_dir, "*.rb", cookbook_path):
+            patterns_found = _extract_search_patterns_from_file(
+                resource_file, cookbook_path
+            )
+            patterns.extend(patterns_found)
 
     return patterns
 
@@ -1261,19 +1488,32 @@ def _build_playbook_header(recipe_name: str) -> list[str]:
 def _add_playbook_variables(
     playbook_lines: list[str], raw_content: str, recipe_file: Path
 ) -> None:
-    """Extract and add variables section to playbook."""
+    """
+    Extract and add variables section to playbook.
+
+    Args:
+        playbook_lines: List of playbook lines to add variables to.
+        raw_content: Raw recipe file content.
+        recipe_file: Path to the recipe file, normalized and contained within cookbook.
+
+    """
     variables = _extract_recipe_variables(raw_content)
 
-    # Try to parse attributes file
-    attributes_path = recipe_file.parent.parent / "attributes" / "default.rb"
-    if attributes_path.exists():
-        attributes_content = parse_attributes(str(attributes_path))
-        if not attributes_content.startswith(
-            "Error:"
-        ) and not attributes_content.startswith("Warning:"):
-            # Parse the resolved attributes
-            attr_vars = _extract_attribute_variables(attributes_content)
-            variables.update(attr_vars)
+    # Try to parse attributes file - validate it stays within cookbook
+    cookbook_path = recipe_file.parent.parent
+    attributes_path = _safe_join(cookbook_path, "attributes", "default.rb")
+    try:
+        if safe_exists(attributes_path, cookbook_path):
+            attributes_content = parse_attributes(str(attributes_path))
+            if not attributes_content.startswith(
+                "Error:"
+            ) and not attributes_content.startswith("Warning:"):
+                # Parse the resolved attributes
+                attr_vars = _extract_attribute_variables(attributes_content)
+                variables.update(attr_vars)
+    except ValueError:
+        # Path traversal attempt detected - skip safely
+        pass
 
     for var_name, var_value in variables.items():
         playbook_lines.append(f"    {var_name}: {var_value}")